Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

utils: mkdirall: fix handling of suid/sgid bits #4400

Merged
merged 4 commits into from
Sep 14, 2024
Merged

utils: mkdirall: fix handling of suid/sgid bits #4400

merged 4 commits into from
Sep 14, 2024

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Sep 13, 2024
edited
Loading

Draft until filepath-securejoin v0.3.2 is released.

This fixes some minor issues with suid/sgid bits introduced by #4393.

/cc @lifubang
Fixes #4401
Signed-off-by: Aleksa Sarai [email protected]

@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch 2 times, most recently from 74139b6 to 85b09d6 Compare September 13, 2024 07:53
@cyphar
tests: add regression test for CVE-2019-19921 / CVE-2023-27561
457e1ff 
We reintroduced this once already because it is quite easy to miss this
subtle aspect of proc mounting. The recent migration to
securejoin.MkdirAllInRoot could have also inadvertently reintroduced
this (though it didn't).

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch 2 times, most recently from 14a5320 to 079ebc3 Compare September 13, 2024 08:17
@cyphar
Copy link
Member Author

cyphar commented Sep 13, 2024

@lifubang Can you verify this fixes the dind issue? I added a test which should be a reproducer for the problem you hit.

@lifubang
Copy link
Member

@lifubang Can you verify this fixes the dind issue? I added a test which should be a reproducer for the problem you hit.

Has verified that it has indeed fixed the dind issue. Thanks.

@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch from 079ebc3 to a93a25e Compare September 13, 2024 10:50
@cyphar cyphar marked this pull request as ready for review September 13, 2024 10:50
@cyphar
Copy link
Member Author

cyphar commented Sep 13, 2024

I've released a new version of filepath-securejoin, so this should be ready now.

rata
rata approved these changes Sep 13, 2024
View reviewed changes
Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

libcontainer/utils/utils_unix.go Outdated Show resolved Hide resolved
tests/integration/mounts.bats Show resolved Hide resolved
@cyphar
utils: mkdirall: mask silently ignored mode bits to match os.MkdirAll
646efe7 
It turns out that the suid and sgid mode bits are silently ignored by
Linux (though the sticky bit is honoured), and some users are requesting
mode bits that are ignored. While returning an error (as securejoin
does) makes some sense, this is a regression.

Ref: cyphar/filepath-securejoin#23
Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
vendor: update to github.com/cyphar/[email protected]
066b109 
This includes a fix for the handling of S_ISGID directories.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
tests: integration: add setgid mkdirall test
d8844e2 
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch from a93a25e to d8844e2 Compare September 13, 2024 13:34
rata
rata approved these changes Sep 13, 2024
View reviewed changes
Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still LGTM

kolyshkin
kolyshkin approved these changes Sep 14, 2024
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kolyshkin kolyshkin merged commit d5ee7a5 into opencontainers:main Sep 14, 2024
42 checks passed
@cyphar cyphar deleted the mkdirall-suidsgid-bits branch September 14, 2024 03:33
@github-actions github-actions bot mentioned this pull request Oct 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kolyshkin kolyshkin kolyshkin approved these changes

@rata rata rata approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

mkdirall regression with filepath.MkdirAll
4 participants
@cyphar @lifubang @rata @kolyshkin